On Fri, 2019-06-07 at 16:40 +0200, Roberto Sassu wrote:
On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:
Although this choice appears legitimate, it might not be suitable for hardened systems, where the administrator expects that access is denied if there is any error. An attacker could intentionally delete the EVM keys from the system and set the file digest in security.ima to the actual file digest so that the final appraisal status is INTEGRITY_PASS.
Assuming that the EVM HMAC key is stored in the initramfs, not on some other file system, and the initramfs is signed, INTEGRITY_UNKNOWN would be limited to the rootfs filesystem.
There is another issue. The HMAC key, like the public keys, should be loaded when appraisal is disabled. This means that we have to create a trusted key at early boot and defer the unsealing.
There is no need for IMA to appraise the public key file signature, since the certificate is signed by a key on the builtin/secondary trusted keyring. With CONFIG_IMA_LOAD_X509 enabled, the public key can be loaded onto the IMA keyring with IMA-appraisal enabled, but without verifying the file signature.
Mimi